Abnormal Traffic Detection Apparatus, Abnormal Traffic Detection Method and Abnormal Traffic Detection Program

1. An abnormal traffic detection apparatus that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, comprising: an amount information storing unit configured to store amount information on an amount of traffics as an amount information table, the amount information table corresponding to each ISP that is a destination of the traffics, the amount information being included in the traffic information; a storage controlling unit configured to identify the ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information, the storage controlling unit configured to, when a destination IP address identified by the traffic information is already stored in the amount information table corresponding to the identified ISP, store the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and the storage controlling unit configured to, when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, store the amount information in the amount information table corresponding to the identified ISP; and an abnormal traffic judging unit that judges, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.

2. The abnormal traffic detection apparatus according to claim 1 , wherein the storage controlling unit is configured to identify the ISP as the destination of the traffics on the basis of a destination MAC (Media Access Control) address and a destination VLAN (Virtual Local Area Network), both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.

3. The abnormal traffic detection apparatus according to claim 1 , wherein the judging unit is configured to store threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and is configured to compare, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.

4. An abnormal traffic detection method that, when traffics are transmitted and received between a plurality of ISPs (Internet Service Providers) connected to the Internet via a switch, monitors traffics passing through the switch and uses traffic information on the monitored traffics to detect abnormal traffics toward the ISPs, the method comprising: a traffic information acquiring step of acquiring the traffic information; a destination identifying step of identifying the ISP which is a destination of the traffics on the basis one or more destination IP addresses of the traffic information; an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and an abnormal traffic judging step of judging, for each of the ISPs or each of the routers, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.

5. The abnormal traffic detection method according to claim 4 , wherein the amount information storing step includes identifying the ISP as the destination of the traffics on the basis of a destination MAC address and a destination VLAN, both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.

6. The abnormal traffic detection method according to claim 4 , wherein the abnormal traffic judging step includes storing threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and comparing, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.

7. A non-transitory computer readable storage medium that stores an abnormal traffic detection program that uses traffic information on traffics, which are monitored when transmitted and received passing through a switch between a plurality of ISPs (Internet Service Providers) connected to the Internet via the switch, to cause a computer to detect abnormal traffics toward the ISP, comprising: a traffic information acquiring step of acquiring the traffic information; a destination identifying step of identifying an ISP which is a destination of the traffics on the basis of one or more destination IP addresses of the traffic information; an amount information storing step of storing when a destination IP address identified by the traffic information is already stored in an amount information table corresponding to the identified ISP, the identified IP address and the amount information in the amount information table corresponding to the identified ISP, and when a destination IP address identified by the traffic information is not stored in the amount information table corresponding to the identified ISP, storing the amount information in the amount information table corresponding to the identified ISP, the amount information being included in the traffic information; and an abnormal traffic judging step of judging, for each of the ISPs, whether the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table.

8. The non-transitory computer readable storage medium according to claim 7 , wherein the amount information storing step includes identifying the ISP as the destination of the traffics on the basis of a destination MAC address and a destination VLAN, both of which are included in the traffic information, and previously-stored information on a ISP corresponding to the destination MAC address and the destination VLAN.

9. The non-transitory computer readable storage medium according to claim 7 , wherein the abnormal traffic judging step includes storing threshold values, which are used in judging whether the traffic amount is abnormal, for the respective amount information tables, and comparing, for each of the amount information tables, the amount information stored in the amount information table and the threshold value corresponding to the amount information in order to judge whether the traffic amount flowing through the switch is abnormal.

10. The abnormal traffic detection method according to claim 4 , further comprising a notifying step of notifying one of the ISPs that there is abnormal traffic when the traffic amount flowing through the switch is abnormal on the basis of the amount information stored in the amount information table corresponding to the ISP.